RE: [cobalt-users] userList.php possible exploit

["Tom Honec" <tom@xxxxxxxxxxxx>]

Anders,

I did not find this on the Sun Forums, I know they just started using
new ones, could it have been removed?

If you have any questions let us know.   Have a nice day.
 
Sincerely,
   Tom Honec
   Nexpoint Technologies Inc.
   Tel:  1-866-NEXPOINT [639-7646]
   http://www.nexpoint.net/
 


-----Original Message-----
From: Anders [mailto:andersb@xxxxxxxxxxx] 
Sent: Monday, May 05, 2003 11:01 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] userList.php possible exploit


>> Possible Exploit:
>> An authenicated Site Administrator is able to view all users on the 
>> local system.
>> 
>> Steps to Duplicate:
>> 1.  Create a site on the RaQ 550
>> 2.  Assign a user with Site Administrator privledge
>> 3.  Access the following URL: 
>> http://www.domain.com:81/base/user/userList.php?group=
>> 4.  Login with the newly created Site Administrator account 5.  You 
>> should see all users on the server
>> 
>> My question to User Group, is has this been corrected by Sun, can it 
>> be duplicated?
> 
> YES , i can duplicate it. chanching port 81 in your ULR to 444 (the 
> default admin port, i can login as ANY site admin, and view the entire

> list !!
> 
> bad bad bad

The ports used on the 550 are: (somewhat backwards)
https://www.domain.com:81/base/user/userList.php?group=
http://www.domain.com:444/base/user/userList.php?group=

Two additions:
1) It doesn't have to be a site admin, any user will do
2) This bug affects every page/listing in the 550 GUI!

It was reported on the Sun Support forums, back in Dec 2002. Solution is
to patch the PHP code with authentication checks.

--anders

PS. Note that it is "only" viewing, modifying gives errors.

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users